Title: [Python]: CWE-611: XXE · Issue #424 · github/securitylab · GitHub
Open Graph Title: [Python]: CWE-611: XXE · Issue #424 · github/securitylab
X Title: [Python]: CWE-611: XXE · Issue #424 · github/securitylab
Description: Query Relevant PR: github/codeql#6112 Report Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files o...
Open Graph Description: Query Relevant PR: github/codeql#6112 Report Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entit...
X Description: Query Relevant PR: github/codeql#6112 Report Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entit...
Opengraph URL: https://github.com/github/securitylab/issues/424
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Python]: CWE-611: XXE","articleBody":"## Query\r\n\r\nRelevant PR: https://github.com/github/codeql/pull/6112\r\n\r\n## Report\r\n\r\nParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack.\r\nThis type of attack uses external entity references to access arbitrary files on a system, carry out denial of\r\nservice, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band\r\ndata retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out\r\nin this situation.\r\n\r\nThere are many XML parsers for Python, and most of them are vulnerable to XXE because their default settings enable\r\nparsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: \r\n\u003ccode\u003exml.etree.ElementTree.XMLParser\u003c/code\u003e, \u003ccode\u003elxml.etree.XMLParser\u003c/code\u003e, \u003ccode\u003elxml.etree.get_default_parser\u003c/code\u003e,\r\n\u003ccode\u003exml.sax.make_parser\u003c/code\u003e.\r\n- [x] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing*\r\n\r\n## Result(s)\r\n\r\nNew:\r\n* * CVE-2021-44556\r\n* * CVE-2021-44557\r\n\r\nAlready existing:\r\n* CVE-2016-5851\r\n* CVE-2020-10799\r\n* CVE-2021-29421\r\n* CVE-2013-1665","author":{"url":"https://github.com/jorgectf","@type":"Person","name":"jorgectf"},"datePublished":"2021-08-25T15:18:16.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":15},"url":"https://github.com/424/securitylab/issues/424"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:83c03fc0-43b2-dc33-48c5-d2583c1a4c9d |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | 8DEA:490E8:125DFA3:195DEA0:6A4DE256 |
| html-safe-nonce | fdde0857e46d41c6c17ccfe384124bb6ae9cc503d482e10517ef6449c9c715b7 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI4REVBOjQ5MEU4OjEyNURGQTM6MTk1REVBMDo2QTRERTI1NiIsInZpc2l0b3JfaWQiOiI3NDY2NTU1MDQyNDY5NjM0NjQ2IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 1c49c1bd9a3e55a4e0033aceb04bfdefa15f037c01b9a3432721d1b9975d177b |
| hovercard-subject-tag | issue:979292610 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/github/securitylab/424/issue_layout |
| twitter:image | https://opengraph.githubassets.com/7e74f07e1c2e3fcd7ae122262847525f6b8a6c346b3444c6e5e8afdea8996012/github/securitylab/issues/424 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/7e74f07e1c2e3fcd7ae122262847525f6b8a6c346b3444c6e5e8afdea8996012/github/securitylab/issues/424 |
| og:image:alt | Query Relevant PR: github/codeql#6112 Report Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entit... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | jorgectf |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/github/securitylab git https://github.com/github/securitylab.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 221101274 |
| octolytics-dimension-repository_nwo | github/securitylab |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 221101274 |
| octolytics-dimension-repository_network_root_nwo | github/securitylab |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width